Hi Guys,
running a hardening tool I stumpled about systemd own security analysis,
which doesn't look good:
$ systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty@tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
lines 1-35...skipping...
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty@tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
nvidia-powerd.service 9.6 UNSAFE 😨
plymouth-start.service 9.5 UNSAFE 😨
polkit.service $ systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty@tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
lines 1-35...skipping...
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty@tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
nvidia-powerd.service 9.6 UNSAFE 😨
plymouth-start.service 9.5 UNSAFE 😨
polkit.service 9.6 UNSAFE 😨
rasdaemon.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
restorecond.service 9.6 UNSAFE 😨
rngd.service 9.6 UNSAFE 😨
rpcbind.service 9.5 UNSAFE 😨
rsyslog.service 9.6 UNSAFE 😨
rtkit-daemon.service 7.1 MEDIUM 😐
smb.service 9.6 UNSAFE 😨
sshd.service 9.6 UNSAFE 😨
switcheroo-control.service 7.6 EXPOSED 🙁
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-plymouth.service 9.5 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-machined.service 6.2 MEDIUM 😐
systemd-oomd.service 1.8 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-timesyncd.service 2.1 OK 🙂
systemd-udevd.service 6.7 MEDIUM 😐
udisks2.service 9.6 UNSAFE 😨
upower.service 2.4 OK 🙂
user@1000.service 9.4 UNSAFE 😨
virtlockd.service 9.6 UNSAFE 😨
virtlogd.service 9.6 UNSAFE 😨
winbind.service 9.6 UNSAFE 😨
wpa_supplicant.service 9.6 UNSAFE 😨
9.6 UNSAFE 😨
rasdaemon.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
restorecond.service 9.6 UNSAFE 😨
rngd.service 9.6 UNSAFE 😨
rpcbind.service 9.5 UNSAFE 😨
rsyslog.service 9.6 UNSAFE 😨
rtkit-daemon.service 7.1 MEDIUM 😐
smb.service 9.6 UNSAFE 😨
sshd.service 9.6 UNSAFE 😨
switcheroo-control.service 7.6 EXPOSED 🙁
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-plymouth.service 9.5 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-machined.service 6.2 MEDIUM 😐
systemd-oomd.service 1.8 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-timesyncd.service 2.1 OK 🙂
systemd-udevd.service 6.7 MEDIUM 😐
udisks2.service 9.6 UNSAFE 😨
upower.service 2.4 OK 🙂
user@1000.service 9.4 UNSAFE 😨
virtlockd.service 9.6 UNSAFE 😨
virtlogd.service 9.6 UNSAFE 😨
winbind.service 9.6 UNSAFE 😨
wpa_supplicant.service 9.6 UNSAFE 😨
As an example:
-rw-r--r--. 1 root root 994 19. Aug 2021 upower.service
-rw-r--r--. 1 root root 177 29. Jan 2021 udisks.service
upower has severall restrictions set, udisks not even one of them.
Do those "insecure" units come from upstream projects, or is Fedora
lagging behind some patches?
Is there a way to find out, if missing restrictions options are a
problem for the service and if not, any way to tell that analyse tool
about it?
best regrads,
Marius
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
